Overview

This article provides a brief introduction to Payment Car Industry (PCI) compliance. Additional information about PCI compliance may be found on the PCI Security Standards Council website.

What is PCI compliance?

PCI compliance is a Data Security Standard (PCI DSS) is a set of requirements compiled by the PCI Security Standards Council. The PCI SSC is made up of businesses associated with credit card providers, debit card providers, credit card/debit processors, and card pre-pay providers. The standards created by the PCI SCC are guidelines to process, store or transmit credit card information while maintaining a secure environment.

Do not use vendor-supplied defaults for system passwords and other security parameters

Cardholder data stored and protected

Encrypted transmission of cardholder data across open, public networks

Regularly updated anti-virus software

Maintain secure systems and applications

Restricted access to cardholder data by business

Unique ID assigned to each person with computer access

Restricted physical access to cardholder data

All access to network resources and cardholder data tracked and monitored

Security systems and processes regularly tested

Information security policy maintained

Do I need my site to be PCI compliant?

Many sites do not need to be PCI compliant. If you have not been told that PCI compliance is absolutely necessary, you may not need it. The best approach is usually to evaluate the needs of your site and examine the list of requirements above.

If it is determined that you will need PCI compliance, you should work with your internal teams to come up with a strategy on how to become PCI compliant. Making sure your site is PCI compliant is not supported by (mt) Media Temple. While we can assist with some aspects of PCI compliance, meeting the full requirements listed above will be up to you.

PCI compliance and Plesk

As of Plesk Onyx, Plesk users may use a built in utility that will help with several aspects of achieving PCI compliance. You may still need to install an SSL certificate and adjust other aspects of your server, but Plesk's utility will automatically adjust several settings to meet compliance standards.

SSL/TLS compression is not disabled on Debian 7 for ProFTPd, Dovecot, and Postfix. [This does not impact Media Temple Plesk users.]

Can I host a PCI compliant site on the Grid?

Because of its shared environment, sites will not meet PCI compliance if they are hosted on the Grid. This does not mean that eCommerce on the Grid is impossible. Many well-known eCommerce sites do not require PCI compliance, and SSL certificates may still be used to verify the validity of a site and create encrypted connections to transfer information securely across HTTPS. However, without a dedicated hosting environment, the PCI Security Standards Council compliance cannot be met.

Payment gateway services may also be used to satisfy a need for PCI compliance. Some of these include PayPal, Amazon Webpay, Google Wallet, Authorize.net, etc.

Resources

If you have any further questions on PCI compliance you may refer to the following sites.